Line data Source code
1 : /* ssl/s3_enc.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 : /* ====================================================================
59 : * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 : *
61 : * Redistribution and use in source and binary forms, with or without
62 : * modification, are permitted provided that the following conditions
63 : * are met:
64 : *
65 : * 1. Redistributions of source code must retain the above copyright
66 : * notice, this list of conditions and the following disclaimer.
67 : *
68 : * 2. Redistributions in binary form must reproduce the above copyright
69 : * notice, this list of conditions and the following disclaimer in
70 : * the documentation and/or other materials provided with the
71 : * distribution.
72 : *
73 : * 3. All advertising materials mentioning features or use of this
74 : * software must display the following acknowledgment:
75 : * "This product includes software developed by the OpenSSL Project
76 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 : *
78 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 : * endorse or promote products derived from this software without
80 : * prior written permission. For written permission, please contact
81 : * openssl-core@openssl.org.
82 : *
83 : * 5. Products derived from this software may not be called "OpenSSL"
84 : * nor may "OpenSSL" appear in their names without prior written
85 : * permission of the OpenSSL Project.
86 : *
87 : * 6. Redistributions of any form whatsoever must retain the following
88 : * acknowledgment:
89 : * "This product includes software developed by the OpenSSL Project
90 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 : *
92 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 : * OF THE POSSIBILITY OF SUCH DAMAGE.
104 : * ====================================================================
105 : *
106 : * This product includes cryptographic software written by Eric Young
107 : * (eay@cryptsoft.com). This product includes software written by Tim
108 : * Hudson (tjh@cryptsoft.com).
109 : *
110 : */
111 : /* ====================================================================
112 : * Copyright 2005 Nokia. All rights reserved.
113 : *
114 : * The portions of the attached software ("Contribution") is developed by
115 : * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 : * license.
117 : *
118 : * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 : * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 : * support (see RFC 4279) to OpenSSL.
121 : *
122 : * No patent licenses or other rights except those expressly stated in
123 : * the OpenSSL open source license shall be deemed granted or received
124 : * expressly, by implication, estoppel, or otherwise.
125 : *
126 : * No assurances are provided by Nokia that the Contribution does not
127 : * infringe the patent or other intellectual property rights of any third
128 : * party or that the license provides you with all the necessary rights
129 : * to make use of the Contribution.
130 : *
131 : * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 : * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 : * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 : * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 : * OTHERWISE.
136 : */
137 :
138 : #include <stdio.h>
139 : #include "ssl_locl.h"
140 : #include <openssl/evp.h>
141 : #include <openssl/md5.h>
142 :
143 : static unsigned char ssl3_pad_1[48] = {
144 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 : };
151 :
152 : static unsigned char ssl3_pad_2[48] = {
153 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 : };
160 :
161 : static int ssl3_handshake_mac(SSL *s, int md_nid,
162 : const char *sender, int len, unsigned char *p);
163 0 : static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 : {
165 : EVP_MD_CTX m5;
166 : EVP_MD_CTX s1;
167 : unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 : unsigned char c = 'A';
169 : unsigned int i, j, k;
170 :
171 : #ifdef CHARSET_EBCDIC
172 : c = os_toascii[c]; /* 'A' in ASCII */
173 : #endif
174 : k = 0;
175 0 : EVP_MD_CTX_init(&m5);
176 0 : EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 0 : EVP_MD_CTX_init(&s1);
178 0 : for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 0 : k++;
180 0 : if (k > sizeof buf) {
181 : /* bug: 'buf' is too small for this ciphersuite */
182 0 : SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183 : return 0;
184 : }
185 :
186 0 : for (j = 0; j < k; j++)
187 0 : buf[j] = c;
188 0 : c++;
189 0 : EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 0 : EVP_DigestUpdate(&s1, buf, k);
191 0 : EVP_DigestUpdate(&s1, s->session->master_key,
192 0 : s->session->master_key_length);
193 0 : EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 0 : EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 0 : EVP_DigestFinal_ex(&s1, smd, NULL);
196 :
197 0 : EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 0 : EVP_DigestUpdate(&m5, s->session->master_key,
199 0 : s->session->master_key_length);
200 0 : EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 0 : if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 0 : EVP_DigestFinal_ex(&m5, smd, NULL);
203 0 : memcpy(km, smd, (num - i));
204 : } else
205 0 : EVP_DigestFinal_ex(&m5, km, NULL);
206 :
207 0 : km += MD5_DIGEST_LENGTH;
208 : }
209 0 : OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 0 : EVP_MD_CTX_cleanup(&m5);
211 0 : EVP_MD_CTX_cleanup(&s1);
212 : return 1;
213 : }
214 :
215 0 : int ssl3_change_cipher_state(SSL *s, int which)
216 : {
217 : unsigned char *p, *mac_secret;
218 : unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 : unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 : unsigned char *ms, *key, *iv, *er1, *er2;
221 : EVP_CIPHER_CTX *dd;
222 : const EVP_CIPHER *c;
223 : #ifndef OPENSSL_NO_COMP
224 : COMP_METHOD *comp;
225 : #endif
226 : const EVP_MD *m;
227 : EVP_MD_CTX md;
228 : int is_exp, n, i, j, k, cl;
229 : int reuse_dd = 0;
230 :
231 0 : is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 0 : c = s->s3->tmp.new_sym_enc;
233 0 : m = s->s3->tmp.new_hash;
234 : /* m == NULL will lead to a crash later */
235 0 : OPENSSL_assert(m);
236 : #ifndef OPENSSL_NO_COMP
237 0 : if (s->s3->tmp.new_compression == NULL)
238 : comp = NULL;
239 : else
240 0 : comp = s->s3->tmp.new_compression->method;
241 : #endif
242 :
243 0 : if (which & SSL3_CC_READ) {
244 0 : if (s->enc_read_ctx != NULL)
245 : reuse_dd = 1;
246 0 : else if ((s->enc_read_ctx =
247 0 : OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248 : goto err;
249 : else
250 : /*
251 : * make sure it's intialized in case we exit later with an error
252 : */
253 0 : EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 0 : dd = s->enc_read_ctx;
255 :
256 0 : ssl_replace_hash(&s->read_hash, m);
257 : #ifndef OPENSSL_NO_COMP
258 : /* COMPRESS */
259 0 : if (s->expand != NULL) {
260 0 : COMP_CTX_free(s->expand);
261 0 : s->expand = NULL;
262 : }
263 0 : if (comp != NULL) {
264 0 : s->expand = COMP_CTX_new(comp);
265 0 : if (s->expand == NULL) {
266 0 : SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
267 : SSL_R_COMPRESSION_LIBRARY_ERROR);
268 0 : goto err2;
269 : }
270 0 : if (s->s3->rrec.comp == NULL)
271 0 : s->s3->rrec.comp = (unsigned char *)
272 0 : OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
273 0 : if (s->s3->rrec.comp == NULL)
274 : goto err;
275 : }
276 : #endif
277 0 : memset(&(s->s3->read_sequence[0]), 0, 8);
278 0 : mac_secret = &(s->s3->read_mac_secret[0]);
279 : } else {
280 0 : if (s->enc_write_ctx != NULL)
281 : reuse_dd = 1;
282 0 : else if ((s->enc_write_ctx =
283 0 : OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
284 : goto err;
285 : else
286 : /*
287 : * make sure it's intialized in case we exit later with an error
288 : */
289 0 : EVP_CIPHER_CTX_init(s->enc_write_ctx);
290 0 : dd = s->enc_write_ctx;
291 0 : ssl_replace_hash(&s->write_hash, m);
292 : #ifndef OPENSSL_NO_COMP
293 : /* COMPRESS */
294 0 : if (s->compress != NULL) {
295 0 : COMP_CTX_free(s->compress);
296 0 : s->compress = NULL;
297 : }
298 0 : if (comp != NULL) {
299 0 : s->compress = COMP_CTX_new(comp);
300 0 : if (s->compress == NULL) {
301 0 : SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
302 : SSL_R_COMPRESSION_LIBRARY_ERROR);
303 0 : goto err2;
304 : }
305 : }
306 : #endif
307 0 : memset(&(s->s3->write_sequence[0]), 0, 8);
308 0 : mac_secret = &(s->s3->write_mac_secret[0]);
309 : }
310 :
311 0 : if (reuse_dd)
312 0 : EVP_CIPHER_CTX_cleanup(dd);
313 :
314 0 : p = s->s3->tmp.key_block;
315 0 : i = EVP_MD_size(m);
316 0 : if (i < 0)
317 : goto err2;
318 0 : cl = EVP_CIPHER_key_length(c);
319 : j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
320 0 : cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
321 : /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
322 0 : k = EVP_CIPHER_iv_length(c);
323 0 : if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
324 0 : (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
325 : ms = &(p[0]);
326 0 : n = i + i;
327 0 : key = &(p[n]);
328 0 : n += j + j;
329 0 : iv = &(p[n]);
330 0 : n += k + k;
331 0 : er1 = &(s->s3->client_random[0]);
332 0 : er2 = &(s->s3->server_random[0]);
333 : } else {
334 : n = i;
335 0 : ms = &(p[n]);
336 0 : n += i + j;
337 0 : key = &(p[n]);
338 0 : n += j + k;
339 0 : iv = &(p[n]);
340 0 : n += k;
341 0 : er1 = &(s->s3->server_random[0]);
342 0 : er2 = &(s->s3->client_random[0]);
343 : }
344 :
345 0 : if (n > s->s3->tmp.key_block_length) {
346 0 : SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
347 0 : goto err2;
348 : }
349 :
350 0 : EVP_MD_CTX_init(&md);
351 0 : memcpy(mac_secret, ms, i);
352 0 : if (is_exp) {
353 : /*
354 : * In here I set both the read and write key/iv to the same value
355 : * since only the correct one will be used :-).
356 : */
357 0 : EVP_DigestInit_ex(&md, EVP_md5(), NULL);
358 0 : EVP_DigestUpdate(&md, key, j);
359 0 : EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
360 0 : EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
361 0 : EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
362 : key = &(exp_key[0]);
363 :
364 0 : if (k > 0) {
365 0 : EVP_DigestInit_ex(&md, EVP_md5(), NULL);
366 0 : EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
367 0 : EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
368 0 : EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
369 : iv = &(exp_iv[0]);
370 : }
371 : }
372 :
373 0 : s->session->key_arg_length = 0;
374 :
375 0 : EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
376 :
377 : #ifdef OPENSSL_SSL_TRACE_CRYPTO
378 : if (s->msg_callback) {
379 :
380 : int wh = which & SSL3_CC_WRITE ?
381 : TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
382 : s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
383 : mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
384 : if (c->key_len)
385 : s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
386 : key, c->key_len, s, s->msg_callback_arg);
387 : if (k) {
388 : s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
389 : iv, k, s, s->msg_callback_arg);
390 : }
391 : }
392 : #endif
393 :
394 0 : OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
395 0 : OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
396 0 : EVP_MD_CTX_cleanup(&md);
397 0 : return (1);
398 : err:
399 0 : SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
400 : err2:
401 : return (0);
402 : }
403 :
404 0 : int ssl3_setup_key_block(SSL *s)
405 : {
406 : unsigned char *p;
407 : const EVP_CIPHER *c;
408 : const EVP_MD *hash;
409 : int num;
410 : int ret = 0;
411 : SSL_COMP *comp;
412 :
413 0 : if (s->s3->tmp.key_block_length != 0)
414 : return (1);
415 :
416 0 : if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
417 0 : SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
418 0 : return (0);
419 : }
420 :
421 0 : s->s3->tmp.new_sym_enc = c;
422 0 : s->s3->tmp.new_hash = hash;
423 : #ifdef OPENSSL_NO_COMP
424 : s->s3->tmp.new_compression = NULL;
425 : #else
426 0 : s->s3->tmp.new_compression = comp;
427 : #endif
428 :
429 0 : num = EVP_MD_size(hash);
430 0 : if (num < 0)
431 : return 0;
432 :
433 0 : num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
434 0 : num *= 2;
435 :
436 0 : ssl3_cleanup_key_block(s);
437 :
438 0 : if ((p = OPENSSL_malloc(num)) == NULL)
439 : goto err;
440 :
441 0 : s->s3->tmp.key_block_length = num;
442 0 : s->s3->tmp.key_block = p;
443 :
444 0 : ret = ssl3_generate_key_block(s, p, num);
445 :
446 0 : if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
447 : /*
448 : * enable vulnerability countermeasure for CBC ciphers with known-IV
449 : * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
450 : */
451 0 : s->s3->need_empty_fragments = 1;
452 :
453 0 : if (s->session->cipher != NULL) {
454 0 : if (s->session->cipher->algorithm_enc == SSL_eNULL)
455 0 : s->s3->need_empty_fragments = 0;
456 :
457 : #ifndef OPENSSL_NO_RC4
458 0 : if (s->session->cipher->algorithm_enc == SSL_RC4)
459 0 : s->s3->need_empty_fragments = 0;
460 : #endif
461 : }
462 : }
463 :
464 0 : return ret;
465 :
466 : err:
467 0 : SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
468 0 : return (0);
469 : }
470 :
471 5212 : void ssl3_cleanup_key_block(SSL *s)
472 : {
473 5212 : if (s->s3->tmp.key_block != NULL) {
474 737 : OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
475 737 : OPENSSL_free(s->s3->tmp.key_block);
476 737 : s->s3->tmp.key_block = NULL;
477 : }
478 5212 : s->s3->tmp.key_block_length = 0;
479 5212 : }
480 :
481 : /*-
482 : * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
483 : *
484 : * Returns:
485 : * 0: (in non-constant time) if the record is publically invalid (i.e. too
486 : * short etc).
487 : * 1: if the record's padding is valid / the encryption was successful.
488 : * -1: if the record's padding is invalid or, if sending, an internal error
489 : * occured.
490 : */
491 0 : int ssl3_enc(SSL *s, int send)
492 : {
493 : SSL3_RECORD *rec;
494 : EVP_CIPHER_CTX *ds;
495 : unsigned long l;
496 : int bs, i, mac_size = 0;
497 : const EVP_CIPHER *enc;
498 :
499 0 : if (send) {
500 0 : ds = s->enc_write_ctx;
501 0 : rec = &(s->s3->wrec);
502 0 : if (s->enc_write_ctx == NULL)
503 : enc = NULL;
504 : else
505 0 : enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
506 : } else {
507 0 : ds = s->enc_read_ctx;
508 0 : rec = &(s->s3->rrec);
509 0 : if (s->enc_read_ctx == NULL)
510 : enc = NULL;
511 : else
512 0 : enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
513 : }
514 :
515 0 : if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
516 0 : memmove(rec->data, rec->input, rec->length);
517 0 : rec->input = rec->data;
518 : } else {
519 0 : l = rec->length;
520 0 : bs = EVP_CIPHER_block_size(ds->cipher);
521 :
522 : /* COMPRESS */
523 :
524 0 : if ((bs != 1) && send) {
525 0 : i = bs - ((int)l % bs);
526 :
527 : /* we need to add 'i-1' padding bytes */
528 0 : l += i;
529 : /*
530 : * the last of these zero bytes will be overwritten with the
531 : * padding length.
532 : */
533 0 : memset(&rec->input[rec->length], 0, i);
534 0 : rec->length += i;
535 0 : rec->input[l - 1] = (i - 1);
536 : }
537 :
538 0 : if (!send) {
539 0 : if (l == 0 || l % bs != 0)
540 : return 0;
541 : /* otherwise, rec->length >= bs */
542 : }
543 :
544 0 : if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
545 : return -1;
546 :
547 0 : if (EVP_MD_CTX_md(s->read_hash) != NULL)
548 0 : mac_size = EVP_MD_CTX_size(s->read_hash);
549 0 : if ((bs != 1) && !send)
550 0 : return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
551 : }
552 : return (1);
553 : }
554 :
555 746 : void ssl3_init_finished_mac(SSL *s)
556 : {
557 746 : if (s->s3->handshake_buffer)
558 0 : BIO_free(s->s3->handshake_buffer);
559 746 : if (s->s3->handshake_dgst)
560 0 : ssl3_free_digest_list(s);
561 746 : s->s3->handshake_buffer = BIO_new(BIO_s_mem());
562 746 : (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
563 746 : }
564 :
565 1486 : void ssl3_free_digest_list(SSL *s)
566 : {
567 : int i;
568 1486 : if (!s->s3->handshake_dgst)
569 1486 : return;
570 4458 : for (i = 0; i < SSL_MAX_DIGEST; i++) {
571 4458 : if (s->s3->handshake_dgst[i])
572 743 : EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
573 : }
574 743 : OPENSSL_free(s->s3->handshake_dgst);
575 743 : s->s3->handshake_dgst = NULL;
576 : }
577 :
578 6656 : void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
579 : {
580 6656 : if (s->s3->handshake_buffer
581 2226 : && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
582 2226 : BIO_write(s->s3->handshake_buffer, (void *)buf, len);
583 : } else {
584 : int i;
585 26580 : for (i = 0; i < SSL_MAX_DIGEST; i++) {
586 26580 : if (s->s3->handshake_dgst[i] != NULL)
587 4430 : EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
588 : }
589 : }
590 6656 : }
591 :
592 743 : int ssl3_digest_cached_records(SSL *s)
593 : {
594 : int i;
595 : long mask;
596 : const EVP_MD *md;
597 : long hdatalen;
598 : void *hdata;
599 :
600 : /* Allocate handshake_dgst array */
601 743 : ssl3_free_digest_list(s);
602 1486 : s->s3->handshake_dgst =
603 743 : OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
604 743 : memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
605 743 : hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
606 743 : if (hdatalen <= 0) {
607 0 : SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
608 0 : return 0;
609 : }
610 :
611 : /* Loop through bitso of algorithm2 field and create MD_CTX-es */
612 4458 : for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
613 4458 : if ((mask & ssl_get_algorithm2(s)) && md) {
614 743 : s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
615 : #ifdef OPENSSL_FIPS
616 : if (EVP_MD_nid(md) == NID_md5) {
617 : EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
618 : EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
619 : }
620 : #endif
621 743 : EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
622 743 : EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
623 : } else {
624 3715 : s->s3->handshake_dgst[i] = NULL;
625 : }
626 : }
627 743 : if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
628 : /* Free handshake_buffer BIO */
629 743 : BIO_free(s->s3->handshake_buffer);
630 743 : s->s3->handshake_buffer = NULL;
631 : }
632 :
633 : return 1;
634 : }
635 :
636 0 : int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
637 : {
638 0 : return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
639 : }
640 :
641 0 : int ssl3_final_finish_mac(SSL *s,
642 : const char *sender, int len, unsigned char *p)
643 : {
644 : int ret, sha1len;
645 0 : ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
646 0 : if (ret == 0)
647 : return 0;
648 :
649 0 : p += ret;
650 :
651 0 : sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
652 0 : if (sha1len == 0)
653 : return 0;
654 :
655 0 : ret += sha1len;
656 0 : return (ret);
657 : }
658 :
659 0 : static int ssl3_handshake_mac(SSL *s, int md_nid,
660 : const char *sender, int len, unsigned char *p)
661 : {
662 : unsigned int ret;
663 : int npad, n;
664 : unsigned int i;
665 : unsigned char md_buf[EVP_MAX_MD_SIZE];
666 : EVP_MD_CTX ctx, *d = NULL;
667 :
668 0 : if (s->s3->handshake_buffer)
669 0 : if (!ssl3_digest_cached_records(s))
670 : return 0;
671 :
672 : /*
673 : * Search for digest of specified type in the handshake_dgst array
674 : */
675 0 : for (i = 0; i < SSL_MAX_DIGEST; i++) {
676 0 : if (s->s3->handshake_dgst[i]
677 0 : && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
678 0 : d = s->s3->handshake_dgst[i];
679 0 : break;
680 : }
681 : }
682 0 : if (!d) {
683 0 : SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
684 0 : return 0;
685 : }
686 0 : EVP_MD_CTX_init(&ctx);
687 0 : EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
688 0 : EVP_MD_CTX_copy_ex(&ctx, d);
689 0 : n = EVP_MD_CTX_size(&ctx);
690 0 : if (n < 0)
691 : return 0;
692 :
693 0 : npad = (48 / n) * n;
694 0 : if (sender != NULL)
695 0 : EVP_DigestUpdate(&ctx, sender, len);
696 0 : EVP_DigestUpdate(&ctx, s->session->master_key,
697 0 : s->session->master_key_length);
698 0 : EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
699 0 : EVP_DigestFinal_ex(&ctx, md_buf, &i);
700 :
701 0 : EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
702 0 : EVP_DigestUpdate(&ctx, s->session->master_key,
703 0 : s->session->master_key_length);
704 0 : EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
705 0 : EVP_DigestUpdate(&ctx, md_buf, i);
706 0 : EVP_DigestFinal_ex(&ctx, p, &ret);
707 :
708 0 : EVP_MD_CTX_cleanup(&ctx);
709 :
710 0 : return ((int)ret);
711 : }
712 :
713 0 : int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
714 : {
715 : SSL3_RECORD *rec;
716 : unsigned char *mac_sec, *seq;
717 : EVP_MD_CTX md_ctx;
718 : const EVP_MD_CTX *hash;
719 : unsigned char *p, rec_char;
720 : size_t md_size, orig_len;
721 : int npad;
722 : int t;
723 :
724 0 : if (send) {
725 0 : rec = &(ssl->s3->wrec);
726 0 : mac_sec = &(ssl->s3->write_mac_secret[0]);
727 0 : seq = &(ssl->s3->write_sequence[0]);
728 0 : hash = ssl->write_hash;
729 : } else {
730 0 : rec = &(ssl->s3->rrec);
731 0 : mac_sec = &(ssl->s3->read_mac_secret[0]);
732 0 : seq = &(ssl->s3->read_sequence[0]);
733 0 : hash = ssl->read_hash;
734 : }
735 :
736 0 : t = EVP_MD_CTX_size(hash);
737 0 : if (t < 0)
738 : return -1;
739 0 : md_size = t;
740 0 : npad = (48 / md_size) * md_size;
741 :
742 : /*
743 : * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
744 : */
745 0 : orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
746 0 : rec->type &= 0xff;
747 :
748 0 : if (!send &&
749 0 : EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
750 0 : ssl3_cbc_record_digest_supported(hash)) {
751 : /*
752 : * This is a CBC-encrypted record. We must avoid leaking any
753 : * timing-side channel information about how many blocks of data we
754 : * are hashing because that gives an attacker a timing-oracle.
755 : */
756 :
757 : /*-
758 : * npad is, at most, 48 bytes and that's with MD5:
759 : * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
760 : *
761 : * With SHA-1 (the largest hash speced for SSLv3) the hash size
762 : * goes up 4, but npad goes down by 8, resulting in a smaller
763 : * total size.
764 : */
765 : unsigned char header[75];
766 : unsigned j = 0;
767 0 : memcpy(header + j, mac_sec, md_size);
768 0 : j += md_size;
769 0 : memcpy(header + j, ssl3_pad_1, npad);
770 0 : j += npad;
771 0 : memcpy(header + j, seq, 8);
772 0 : j += 8;
773 0 : header[j++] = rec->type;
774 0 : header[j++] = rec->length >> 8;
775 0 : header[j++] = rec->length & 0xff;
776 :
777 : /* Final param == is SSLv3 */
778 0 : ssl3_cbc_digest_record(hash,
779 : md, &md_size,
780 0 : header, rec->input,
781 0 : rec->length + md_size, orig_len,
782 : mac_sec, md_size, 1);
783 : } else {
784 : unsigned int md_size_u;
785 : /* Chop the digest off the end :-) */
786 0 : EVP_MD_CTX_init(&md_ctx);
787 :
788 0 : EVP_MD_CTX_copy_ex(&md_ctx, hash);
789 0 : EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
790 0 : EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
791 0 : EVP_DigestUpdate(&md_ctx, seq, 8);
792 0 : rec_char = rec->type;
793 0 : EVP_DigestUpdate(&md_ctx, &rec_char, 1);
794 : p = md;
795 0 : s2n(rec->length, p);
796 0 : EVP_DigestUpdate(&md_ctx, md, 2);
797 0 : EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
798 0 : EVP_DigestFinal_ex(&md_ctx, md, NULL);
799 :
800 0 : EVP_MD_CTX_copy_ex(&md_ctx, hash);
801 0 : EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
802 0 : EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
803 0 : EVP_DigestUpdate(&md_ctx, md, md_size);
804 0 : EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
805 0 : md_size = md_size_u;
806 :
807 0 : EVP_MD_CTX_cleanup(&md_ctx);
808 : }
809 :
810 : ssl3_record_sequence_update(seq);
811 0 : return (md_size);
812 : }
813 :
814 0 : void ssl3_record_sequence_update(unsigned char *seq)
815 : {
816 : int i;
817 :
818 0 : for (i = 7; i >= 0; i--) {
819 0 : ++seq[i];
820 0 : if (seq[i] != 0)
821 : break;
822 : }
823 0 : }
824 :
825 0 : int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
826 : int len)
827 : {
828 : static const unsigned char *salt[3] = {
829 : #ifndef CHARSET_EBCDIC
830 : (const unsigned char *)"A",
831 : (const unsigned char *)"BB",
832 : (const unsigned char *)"CCC",
833 : #else
834 : (const unsigned char *)"\x41",
835 : (const unsigned char *)"\x42\x42",
836 : (const unsigned char *)"\x43\x43\x43",
837 : #endif
838 : };
839 : unsigned char buf[EVP_MAX_MD_SIZE];
840 : EVP_MD_CTX ctx;
841 : int i, ret = 0;
842 : unsigned int n;
843 : #ifdef OPENSSL_SSL_TRACE_CRYPTO
844 : unsigned char *tmpout = out;
845 : #endif
846 :
847 0 : EVP_MD_CTX_init(&ctx);
848 0 : for (i = 0; i < 3; i++) {
849 0 : EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
850 0 : EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
851 0 : EVP_DigestUpdate(&ctx, p, len);
852 0 : EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
853 0 : EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
854 0 : EVP_DigestFinal_ex(&ctx, buf, &n);
855 :
856 0 : EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
857 0 : EVP_DigestUpdate(&ctx, p, len);
858 0 : EVP_DigestUpdate(&ctx, buf, n);
859 0 : EVP_DigestFinal_ex(&ctx, out, &n);
860 0 : out += n;
861 0 : ret += n;
862 : }
863 0 : EVP_MD_CTX_cleanup(&ctx);
864 :
865 : #ifdef OPENSSL_SSL_TRACE_CRYPTO
866 : if (s->msg_callback) {
867 : s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
868 : p, len, s, s->msg_callback_arg);
869 : s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
870 : s->s3->client_random, SSL3_RANDOM_SIZE,
871 : s, s->msg_callback_arg);
872 : s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
873 : s->s3->server_random, SSL3_RANDOM_SIZE,
874 : s, s->msg_callback_arg);
875 : s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
876 : tmpout, SSL3_MASTER_SECRET_SIZE,
877 : s, s->msg_callback_arg);
878 : }
879 : #endif
880 0 : OPENSSL_cleanse(buf, sizeof buf);
881 0 : return (ret);
882 : }
883 :
884 0 : int ssl3_alert_code(int code)
885 : {
886 : switch (code) {
887 : case SSL_AD_CLOSE_NOTIFY:
888 : return (SSL3_AD_CLOSE_NOTIFY);
889 : case SSL_AD_UNEXPECTED_MESSAGE:
890 : return (SSL3_AD_UNEXPECTED_MESSAGE);
891 : case SSL_AD_BAD_RECORD_MAC:
892 : return (SSL3_AD_BAD_RECORD_MAC);
893 : case SSL_AD_DECRYPTION_FAILED:
894 : return (SSL3_AD_BAD_RECORD_MAC);
895 : case SSL_AD_RECORD_OVERFLOW:
896 : return (SSL3_AD_BAD_RECORD_MAC);
897 : case SSL_AD_DECOMPRESSION_FAILURE:
898 : return (SSL3_AD_DECOMPRESSION_FAILURE);
899 : case SSL_AD_HANDSHAKE_FAILURE:
900 : return (SSL3_AD_HANDSHAKE_FAILURE);
901 : case SSL_AD_NO_CERTIFICATE:
902 : return (SSL3_AD_NO_CERTIFICATE);
903 : case SSL_AD_BAD_CERTIFICATE:
904 : return (SSL3_AD_BAD_CERTIFICATE);
905 : case SSL_AD_UNSUPPORTED_CERTIFICATE:
906 : return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
907 : case SSL_AD_CERTIFICATE_REVOKED:
908 : return (SSL3_AD_CERTIFICATE_REVOKED);
909 : case SSL_AD_CERTIFICATE_EXPIRED:
910 : return (SSL3_AD_CERTIFICATE_EXPIRED);
911 : case SSL_AD_CERTIFICATE_UNKNOWN:
912 : return (SSL3_AD_CERTIFICATE_UNKNOWN);
913 : case SSL_AD_ILLEGAL_PARAMETER:
914 : return (SSL3_AD_ILLEGAL_PARAMETER);
915 : case SSL_AD_UNKNOWN_CA:
916 : return (SSL3_AD_BAD_CERTIFICATE);
917 : case SSL_AD_ACCESS_DENIED:
918 : return (SSL3_AD_HANDSHAKE_FAILURE);
919 : case SSL_AD_DECODE_ERROR:
920 : return (SSL3_AD_HANDSHAKE_FAILURE);
921 : case SSL_AD_DECRYPT_ERROR:
922 : return (SSL3_AD_HANDSHAKE_FAILURE);
923 : case SSL_AD_EXPORT_RESTRICTION:
924 : return (SSL3_AD_HANDSHAKE_FAILURE);
925 : case SSL_AD_PROTOCOL_VERSION:
926 : return (SSL3_AD_HANDSHAKE_FAILURE);
927 : case SSL_AD_INSUFFICIENT_SECURITY:
928 : return (SSL3_AD_HANDSHAKE_FAILURE);
929 : case SSL_AD_INTERNAL_ERROR:
930 : return (SSL3_AD_HANDSHAKE_FAILURE);
931 : case SSL_AD_USER_CANCELLED:
932 : return (SSL3_AD_HANDSHAKE_FAILURE);
933 : case SSL_AD_NO_RENEGOTIATION:
934 : return (-1); /* Don't send it :-) */
935 : case SSL_AD_UNSUPPORTED_EXTENSION:
936 : return (SSL3_AD_HANDSHAKE_FAILURE);
937 : case SSL_AD_CERTIFICATE_UNOBTAINABLE:
938 : return (SSL3_AD_HANDSHAKE_FAILURE);
939 : case SSL_AD_UNRECOGNIZED_NAME:
940 : return (SSL3_AD_HANDSHAKE_FAILURE);
941 : case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
942 : return (SSL3_AD_HANDSHAKE_FAILURE);
943 : case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
944 : return (SSL3_AD_HANDSHAKE_FAILURE);
945 : case SSL_AD_UNKNOWN_PSK_IDENTITY:
946 : return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
947 : case SSL_AD_INAPPROPRIATE_FALLBACK:
948 : return (TLS1_AD_INAPPROPRIATE_FALLBACK);
949 : default:
950 : return (-1);
951 : }
952 : }
|
