Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: c6738fd208
Branches Tags
openssl
/
ssl
/
s3_enc.c

s3_enc.c 34 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000 
  1. /* ssl/s3_enc.c */
    2. 

  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * This package is an SSL implementation written
    6. 

  6.  * by Eric Young (eay@cryptsoft.com).
    7. 

  7.  * The implementation was written so as to conform with Netscapes SSL.
    8. 

  8.  *
    9. 

  9.  * This library is free for commercial and non-commercial use as long as
    10. 

  10.  * the following conditions are aheared to.  The following conditions
    11. 

  11.  * apply to all code found in this distribution, be it the RC4, RSA,
    12. 

  12.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
    13. 

  13.  * included with this distribution is covered by the same copyright terms
    14. 

  14.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
    15. 

  15.  *
    16. 

  16.  * Copyright remains Eric Young's, and as such any Copyright notices in
    17. 

  17.  * the code are not to be removed.
    18. 

  18.  * If this package is used in a product, Eric Young should be given attribution
    19. 

  19.  * as the author of the parts of the library used.
    20. 

  20.  * This can be in the form of a textual message at program startup or
    21. 

  21.  * in documentation (online or textual) provided with the package.
    22. 

  22.  *
    23. 

  23.  * Redistribution and use in source and binary forms, with or without
    24. 

  24.  * modification, are permitted provided that the following conditions
    25. 

  25.  * are met:
    26. 

  26.  * 1. Redistributions of source code must retain the copyright
    27. 

  27.  *    notice, this list of conditions and the following disclaimer.
    28. 

  28.  * 2. Redistributions in binary form must reproduce the above copyright
    29. 

  29.  *    notice, this list of conditions and the following disclaimer in the
    30. 

  30.  *    documentation and/or other materials provided with the distribution.
    31. 

  31.  * 3. All advertising materials mentioning features or use of this software
    32. 

  32.  *    must display the following acknowledgement:
    33. 

  33.  *    "This product includes cryptographic software written by
    34. 

  34.  *     Eric Young (eay@cryptsoft.com)"
    35. 

  35.  *    The word 'cryptographic' can be left out if the rouines from the library
    36. 

  36.  *    being used are not cryptographic related :-).
    37. 

  37.  * 4. If you include any Windows specific code (or a derivative thereof) from
    38. 

  38.  *    the apps directory (application code) you must include an acknowledgement:
    39. 

  39.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
    40. 

  40.  *
    41. 

  41.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
    42. 

  42.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    43. 

  43.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    44. 

  44.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    45. 

  45.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    46. 

  46.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    47. 

  47.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    48. 

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    49. 

  49.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    50. 

  50.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    51. 

  51.  * SUCH DAMAGE.
    52. 

  52.  *
    53. 

  53.  * The licence and distribution terms for any publically available version or
    54. 

  54.  * derivative of this code cannot be changed.  i.e. this code cannot simply be
    55. 

  55.  * copied and put under another distribution licence
    56. 

  56.  * [including the GNU Public Licence.]
    57. 

  57.  */
    58. 

  58. /* ====================================================================
    59. 

  59.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
    60. 

  60.  *
    61. 

  61.  * Redistribution and use in source and binary forms, with or without
    62. 

  62.  * modification, are permitted provided that the following conditions
    63. 

  63.  * are met:
    64. 

  64.  *
    65. 

  65.  * 1. Redistributions of source code must retain the above copyright
    66. 

  66.  *    notice, this list of conditions and the following disclaimer.
    67. 

  67.  *
    68. 

  68.  * 2. Redistributions in binary form must reproduce the above copyright
    69. 

  69.  *    notice, this list of conditions and the following disclaimer in
    70. 

  70.  *    the documentation and/or other materials provided with the
    71. 

  71.  *    distribution.
    72. 

  72.  *
    73. 

  73.  * 3. All advertising materials mentioning features or use of this
    74. 

  74.  *    software must display the following acknowledgment:
    75. 

  75.  *    "This product includes software developed by the OpenSSL Project
    76. 

  76.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
    77. 

  77.  *
    78. 

  78.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    79. 

  79.  *    endorse or promote products derived from this software without
    80. 

  80.  *    prior written permission. For written permission, please contact
    81. 

  81.  *    openssl-core@openssl.org.
    82. 

  82.  *
    83. 

  83.  * 5. Products derived from this software may not be called "OpenSSL"
    84. 

  84.  *    nor may "OpenSSL" appear in their names without prior written
    85. 

  85.  *    permission of the OpenSSL Project.
    86. 

  86.  *
    87. 

  87.  * 6. Redistributions of any form whatsoever must retain the following
    88. 

  88.  *    acknowledgment:
    89. 

  89.  *    "This product includes software developed by the OpenSSL Project
    90. 

  90.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
    91. 

  91.  *
    92. 

  92.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    93. 

  93.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    94. 

  94.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    95. 

  95.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    96. 

  96.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    97. 

  97.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    98. 

  98.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    99. 

  99.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100. 

  100.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101. 

  101.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102. 

  102.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103. 

  103.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104. 

  104.  * ====================================================================
    105. 

  105.  *
    106. 

  106.  * This product includes cryptographic software written by Eric Young
    107. 

  107.  * (eay@cryptsoft.com).  This product includes software written by Tim
    108. 

  108.  * Hudson (tjh@cryptsoft.com).
    109. 

  109.  *
    110. 

  110.  */
    111. 

  111. /* ====================================================================
    112. 

  112.  * Copyright 2005 Nokia. All rights reserved.
    113. 

  113.  *
    114. 

  114.  * The portions of the attached software ("Contribution") is developed by
    115. 

  115.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
    116. 

  116.  * license.
    117. 

  117.  *
    118. 

  118.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
    119. 

  119.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
    120. 

  120.  * support (see RFC 4279) to OpenSSL.
    121. 

  121.  *
    122. 

  122.  * No patent licenses or other rights except those expressly stated in
    123. 

  123.  * the OpenSSL open source license shall be deemed granted or received
    124. 

  124.  * expressly, by implication, estoppel, or otherwise.
    125. 

  125.  *
    126. 

  126.  * No assurances are provided by Nokia that the Contribution does not
    127. 

  127.  * infringe the patent or other intellectual property rights of any third
    128. 

  128.  * party or that the license provides you with all the necessary rights
    129. 

  129.  * to make use of the Contribution.
    130. 

  130.  *
    131. 

  131.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
    132. 

  132.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
    133. 

  133.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
    134. 

  134.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
    135. 

  135.  * OTHERWISE.
    136. 

  136.  */
    137. 

  137. 

  138. #include <stdio.h>
    139. 

  139. #include "ssl_locl.h"
    140. 

  140. #include <openssl/evp.h>
    141. 

  141. #include <openssl/md5.h>
    142. 

  142. 

  143. static unsigned char ssl3_pad_1[48] = {
    144. 

  144.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    145. 

  145.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    146. 

  146.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    147. 

  147.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    148. 

  148.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    149. 

  149.     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
    150. 

  150. };
    151. 

  151. 

  152. static unsigned char ssl3_pad_2[48] = {
    153. 

  153.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    154. 

  154.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    155. 

  155.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    156. 

  156.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    157. 

  157.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    158. 

  158.     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
    159. 

  159. };
    160. 

  160. 

  161. static int ssl3_handshake_mac(SSL *s, int md_nid,
    162. 

  162.                               const char *sender, int len, unsigned char *p);
    163. 

  163. static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
    164. 

  164. {
    165. 

  165.     EVP_MD_CTX m5;
    166. 

  166.     EVP_MD_CTX s1;
    167. 

  167.     unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
    168. 

  168.     unsigned char c = 'A';
    169. 

  169.     unsigned int i, j, k;
    170. 

  170. 

  171. #ifdef CHARSET_EBCDIC
    172. 

  172.     c = os_toascii[c];          /* 'A' in ASCII */
    173. 

  173. #endif
    174. 

  174.     k = 0;
    175. 

  175.     EVP_MD_CTX_init(&m5);
    176. 

  176.     EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    177. 

  177.     EVP_MD_CTX_init(&s1);
    178. 

  178.     for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
    179. 

  179.         k++;
    180. 

  180.         if (k > sizeof(buf))
    181. 

  181.             /* bug: 'buf' is too small for this ciphersuite */
    182. 

  182.             goto err;
    183. 

  183. 

  184.         for (j = 0; j < k; j++)
    185. 

  185.             buf[j] = c;
    186. 

  186.         c++;
    187. 

  187.         if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
    188. 

  188.             !EVP_DigestUpdate(&s1, buf, k) ||
    189. 

  189.             !EVP_DigestUpdate(&s1, s->session->master_key,
    190. 

  190.                               s->session->master_key_length) ||
    191. 

  191.             !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
    192. 

  192.             !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
    193. 

  193.             !EVP_DigestFinal_ex(&s1, smd, NULL))
    194. 

  194.             goto err2;
    195. 

  195. 

  196.         if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
    197. 

  197.             !EVP_DigestUpdate(&m5, s->session->master_key,
    198. 

  198.                               s->session->master_key_length) ||
    199. 

  199.             !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
    200. 

  200.             goto err2;
    201. 

  201.         if ((int)(i + MD5_DIGEST_LENGTH) > num) {
    202. 

  202.             if (!EVP_DigestFinal_ex(&m5, smd, NULL))
    203. 

  203.                 goto err2;
    204. 

  204.             memcpy(km, smd, (num - i));
    205. 

  205.         } else
    206. 

  206.             if (!EVP_DigestFinal_ex(&m5, km, NULL))
    207. 

  207.                 goto err2;
    208. 

  208. 

  209.         km += MD5_DIGEST_LENGTH;
    210. 

  210.     }
    211. 

  211.     OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
    212. 

  212.     EVP_MD_CTX_cleanup(&m5);
    213. 

  213.     EVP_MD_CTX_cleanup(&s1);
    214. 

  214.     return 1;
    215. 

  215.  err:
    216. 

  216.     SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
    217. 

  217.  err2:
    218. 

  218.     EVP_MD_CTX_cleanup(&m5);
    219. 

  219.     EVP_MD_CTX_cleanup(&s1);
    220. 

  220.     return 0;
    221. 

  221. }
    222. 

  222. 

  223. int ssl3_change_cipher_state(SSL *s, int which)
    224. 

  224. {
    225. 

  225.     unsigned char *p, *mac_secret;
    226. 

  226.     unsigned char exp_key[EVP_MAX_KEY_LENGTH];
    227. 

  227.     unsigned char exp_iv[EVP_MAX_IV_LENGTH];
    228. 

  228.     unsigned char *ms, *key, *iv, *er1, *er2;
    229. 

  229.     EVP_CIPHER_CTX *dd;
    230. 

  230.     const EVP_CIPHER *c;
    231. 

  231. #ifndef OPENSSL_NO_COMP
    232. 

  232.     COMP_METHOD *comp;
    233. 

  233. #endif
    234. 

  234.     const EVP_MD *m;
    235. 

  235.     EVP_MD_CTX md;
    236. 

  236.     int is_exp, n, i, j, k, cl;
    237. 

  237.     int reuse_dd = 0;
    238. 

  238. 

  239.     is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
    240. 

  240.     c = s->s3->tmp.new_sym_enc;
    241. 

  241.     m = s->s3->tmp.new_hash;
    242. 

  242.     /* m == NULL will lead to a crash later */
    243. 

  243.     OPENSSL_assert(m);
    244. 

  244. #ifndef OPENSSL_NO_COMP
    245. 

  245.     if (s->s3->tmp.new_compression == NULL)
    246. 

  246.         comp = NULL;
    247. 

  247.     else
    248. 

  248.         comp = s->s3->tmp.new_compression->method;
    249. 

  249. #endif
    250. 

  250. 

  251.     if (which & SSL3_CC_READ) {
    252. 

  252.         if (s->enc_read_ctx != NULL)
    253. 

  253.             reuse_dd = 1;
    254. 

  254.         else if ((s->enc_read_ctx =
    255. 

  255.                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
    256. 

  256.             goto err;
    257. 

  257.         else
    258. 

  258.             /*
    259. 

  259.              * make sure it's intialized in case we exit later with an error
    260. 

  260.              */
    261. 

  261.             EVP_CIPHER_CTX_init(s->enc_read_ctx);
    262. 

  262.         dd = s->enc_read_ctx;
    263. 

  263. 

  264.         if (ssl_replace_hash(&s->read_hash, m) == NULL) {
    265. 

  265.                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
    266. 

  266.                 goto err2;
    267. 

  267.         }
    268. 

  268. #ifndef OPENSSL_NO_COMP
    269. 

  269.         /* COMPRESS */
    270. 

  270.         if (s->expand != NULL) {
    271. 

  271.             COMP_CTX_free(s->expand);
    272. 

  272.             s->expand = NULL;
    273. 

  273.         }
    274. 

  274.         if (comp != NULL) {
    275. 

  275.             s->expand = COMP_CTX_new(comp);
    276. 

  276.             if (s->expand == NULL) {
    277. 

  277.                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
    278. 

  278.                        SSL_R_COMPRESSION_LIBRARY_ERROR);
    279. 

  279.                 goto err2;
    280. 

  280.             }
    281. 

  281.             if (s->s3->rrec.comp == NULL)
    282. 

  282.                 s->s3->rrec.comp = (unsigned char *)
    283. 

  283.                     OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
    284. 

  284.             if (s->s3->rrec.comp == NULL)
    285. 

  285.                 goto err;
    286. 

  286.         }
    287. 

  287. #endif
    288. 

  288.         memset(&(s->s3->read_sequence[0]), 0, 8);
    289. 

  289.         mac_secret = &(s->s3->read_mac_secret[0]);
    290. 

  290.     } else {
    291. 

  291.         if (s->enc_write_ctx != NULL)
    292. 

  292.             reuse_dd = 1;
    293. 

  293.         else if ((s->enc_write_ctx =
    294. 

  294.                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
    295. 

  295.             goto err;
    296. 

  296.         else
    297. 

  297.             /*
    298. 

  298.              * make sure it's intialized in case we exit later with an error
    299. 

  299.              */
    300. 

  300.             EVP_CIPHER_CTX_init(s->enc_write_ctx);
    301. 

  301.         dd = s->enc_write_ctx;
    302. 

  302.         if (ssl_replace_hash(&s->write_hash, m) == NULL) {
    303. 

  303.                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
    304. 

  304.                 goto err2;
    305. 

  305.         }
    306. 

  306. #ifndef OPENSSL_NO_COMP
    307. 

  307.         /* COMPRESS */
    308. 

  308.         if (s->compress != NULL) {
    309. 

  309.             COMP_CTX_free(s->compress);
    310. 

  310.             s->compress = NULL;
    311. 

  311.         }
    312. 

  312.         if (comp != NULL) {
    313. 

  313.             s->compress = COMP_CTX_new(comp);
    314. 

  314.             if (s->compress == NULL) {
    315. 

  315.                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
    316. 

  316.                        SSL_R_COMPRESSION_LIBRARY_ERROR);
    317. 

  317.                 goto err2;
    318. 

  318.             }
    319. 

  319.         }
    320. 

  320. #endif
    321. 

  321.         memset(&(s->s3->write_sequence[0]), 0, 8);
    322. 

  322.         mac_secret = &(s->s3->write_mac_secret[0]);
    323. 

  323.     }
    324. 

  324. 

  325.     if (reuse_dd)
    326. 

  326.         EVP_CIPHER_CTX_cleanup(dd);
    327. 

  327. 

  328.     p = s->s3->tmp.key_block;
    329. 

  329.     i = EVP_MD_size(m);
    330. 

  330.     if (i < 0)
    331. 

  331.         goto err2;
    332. 

  332.     cl = EVP_CIPHER_key_length(c);
    333. 

  333.     j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
    334. 

  334.                   cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
    335. 

  335.     /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
    336. 

  336.     k = EVP_CIPHER_iv_length(c);
    337. 

  337.     if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
    338. 

  338.         (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
    339. 

  339.         ms = &(p[0]);
    340. 

  340.         n = i + i;
    341. 

  341.         key = &(p[n]);
    342. 

  342.         n += j + j;
    343. 

  343.         iv = &(p[n]);
    344. 

  344.         n += k + k;
    345. 

  345.         er1 = &(s->s3->client_random[0]);
    346. 

  346.         er2 = &(s->s3->server_random[0]);
    347. 

  347.     } else {
    348. 

  348.         n = i;
    349. 

  349.         ms = &(p[n]);
    350. 

  350.         n += i + j;
    351. 

  351.         key = &(p[n]);
    352. 

  352.         n += j + k;
    353. 

  353.         iv = &(p[n]);
    354. 

  354.         n += k;
    355. 

  355.         er1 = &(s->s3->server_random[0]);
    356. 

  356.         er2 = &(s->s3->client_random[0]);
    357. 

  357.     }
    358. 

  358. 

  359.     if (n > s->s3->tmp.key_block_length) {
    360. 

  360.         SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
    361. 

  361.         goto err2;
    362. 

  362.     }
    363. 

  363. 

  364.     EVP_MD_CTX_init(&md);
    365. 

  365.     memcpy(mac_secret, ms, i);
    366. 

  366.     if (is_exp) {
    367. 

  367.         /*
    368. 

  368.          * In here I set both the read and write key/iv to the same value
    369. 

  369.          * since only the correct one will be used :-).
    370. 

  370.          */
    371. 

  371.         if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
    372. 

  372.             !EVP_DigestUpdate(&md, key, j) ||
    373. 

  373.             !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
    374. 

  374.             !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
    375. 

  375.             !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
    376. 

  376.             EVP_MD_CTX_cleanup(&md);
    377. 

  377.             goto err2;
    378. 

  378.         }
    379. 

  379.         key = &(exp_key[0]);
    380. 

  380. 

  381.         if (k > 0) {
    382. 

  382.             if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
    383. 

  383.                 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
    384. 

  384.                 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
    385. 

  385.                 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
    386. 

  386.                 EVP_MD_CTX_cleanup(&md);
    387. 

  387.                 goto err2;
    388. 

  388.             }
    389. 

  389.             iv = &(exp_iv[0]);
    390. 

  390.         }
    391. 

  391.     }
    392. 

  392.     EVP_MD_CTX_cleanup(&md);
    393. 

  393. 

  394.     s->session->key_arg_length = 0;
    395. 

  395. 

  396.     if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
    397. 

  397.         goto err2;
    398. 

  398. 

  399. #ifdef OPENSSL_SSL_TRACE_CRYPTO
    400. 

  400.     if (s->msg_callback) {
    401. 

  401. 

  402.         int wh = which & SSL3_CC_WRITE ?
    403. 

  403.             TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
    404. 

  404.         s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
    405. 

  405.                         mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
    406. 

  406.         if (c->key_len)
    407. 

  407.             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
    408. 

  408.                             key, c->key_len, s, s->msg_callback_arg);
    409. 

  409.         if (k) {
    410. 

  410.             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
    411. 

  411.                             iv, k, s, s->msg_callback_arg);
    412. 

  412.         }
    413. 

  413.     }
    414. 

  414. #endif
    415. 

  415. 

  416.     OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
    417. 

  417.     OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
    418. 

  418.     return (1);
    419. 

  419.  err:
    420. 

  420.     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
    421. 

  421.  err2:
    422. 

  422.     return (0);
    423. 

  423. }
    424. 

  424. 

  425. int ssl3_setup_key_block(SSL *s)
    426. 

  426. {
    427. 

  427.     unsigned char *p;
    428. 

  428.     const EVP_CIPHER *c;
    429. 

  429.     const EVP_MD *hash;
    430. 

  430.     int num;
    431. 

  431.     int ret = 0;
    432. 

  432.     SSL_COMP *comp;
    433. 

  433. 

  434.     if (s->s3->tmp.key_block_length != 0)
    435. 

  435.         return (1);
    436. 

  436. 

  437.     if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
    438. 

  438.         SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
    439. 

  439.         return (0);
    440. 

  440.     }
    441. 

  441. 

  442.     s->s3->tmp.new_sym_enc = c;
    443. 

  443.     s->s3->tmp.new_hash = hash;
    444. 

  444. #ifdef OPENSSL_NO_COMP
    445. 

  445.     s->s3->tmp.new_compression = NULL;
    446. 

  446. #else
    447. 

  447.     s->s3->tmp.new_compression = comp;
    448. 

  448. #endif
    449. 

  449. 

  450.     num = EVP_MD_size(hash);
    451. 

  451.     if (num < 0)
    452. 

  452.         return 0;
    453. 

  453. 

  454.     num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
    455. 

  455.     num *= 2;
    456. 

  456. 

  457.     ssl3_cleanup_key_block(s);
    458. 

  458. 

  459.     if ((p = OPENSSL_malloc(num)) == NULL)
    460. 

  460.         goto err;
    461. 

  461. 

  462.     s->s3->tmp.key_block_length = num;
    463. 

  463.     s->s3->tmp.key_block = p;
    464. 

  464. 

  465.     ret = ssl3_generate_key_block(s, p, num);
    466. 

  466. 

  467.     if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
    468. 

  468.         /*
    469. 

  469.          * enable vulnerability countermeasure for CBC ciphers with known-IV
    470. 

  470.          * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
    471. 

  471.          */
    472. 

  472.         s->s3->need_empty_fragments = 1;
    473. 

  473. 

  474.         if (s->session->cipher != NULL) {
    475. 

  475.             if (s->session->cipher->algorithm_enc == SSL_eNULL)
    476. 

  476.                 s->s3->need_empty_fragments = 0;
    477. 

  477. 

  478. #ifndef OPENSSL_NO_RC4
    479. 

  479.             if (s->session->cipher->algorithm_enc == SSL_RC4)
    480. 

  480.                 s->s3->need_empty_fragments = 0;
    481. 

  481. #endif
    482. 

  482.         }
    483. 

  483.     }
    484. 

  484. 

  485.     return ret;
    486. 

  486. 

  487.  err:
    488. 

  488.     SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
    489. 

  489.     return (0);
    490. 

  490. }
    491. 

  491. 

  492. void ssl3_cleanup_key_block(SSL *s)
    493. 

  493. {
    494. 

  494.     if (s->s3->tmp.key_block != NULL) {
    495. 

  495.         OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
    496. 

  496.         OPENSSL_free(s->s3->tmp.key_block);
    497. 

  497.         s->s3->tmp.key_block = NULL;
    498. 

  498.     }
    499. 

  499.     s->s3->tmp.key_block_length = 0;
    500. 

  500. }
    501. 

  501. 

  502. /*-
    503. 

  503.  * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
    504. 

  504.  *
    505. 

  505.  * Returns:
    506. 

  506.  *   0: (in non-constant time) if the record is publically invalid (i.e. too
    507. 

  507.  *       short etc).
    508. 

  508.  *   1: if the record's padding is valid / the encryption was successful.
    509. 

  509.  *   -1: if the record's padding is invalid or, if sending, an internal error
    510. 

  510.  *       occured.
    511. 

  511.  */
    512. 

  512. int ssl3_enc(SSL *s, int send)
    513. 

  513. {
    514. 

  514.     SSL3_RECORD *rec;
    515. 

  515.     EVP_CIPHER_CTX *ds;
    516. 

  516.     unsigned long l;
    517. 

  517.     int bs, i, mac_size = 0;
    518. 

  518.     const EVP_CIPHER *enc;
    519. 

  519. 

  520.     if (send) {
    521. 

  521.         ds = s->enc_write_ctx;
    522. 

  522.         rec = &(s->s3->wrec);
    523. 

  523.         if (s->enc_write_ctx == NULL)
    524. 

  524.             enc = NULL;
    525. 

  525.         else
    526. 

  526.             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
    527. 

  527.     } else {
    528. 

  528.         ds = s->enc_read_ctx;
    529. 

  529.         rec = &(s->s3->rrec);
    530. 

  530.         if (s->enc_read_ctx == NULL)
    531. 

  531.             enc = NULL;
    532. 

  532.         else
    533. 

  533.             enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
    534. 

  534.     }
    535. 

  535. 

  536.     if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
    537. 

  537.         memmove(rec->data, rec->input, rec->length);
    538. 

  538.         rec->input = rec->data;
    539. 

  539.     } else {
    540. 

  540.         l = rec->length;
    541. 

  541.         bs = EVP_CIPHER_block_size(ds->cipher);
    542. 

  542. 

  543.         /* COMPRESS */
    544. 

  544. 

  545.         if ((bs != 1) && send) {
    546. 

  546.             i = bs - ((int)l % bs);
    547. 

  547. 

  548.             /* we need to add 'i-1' padding bytes */
    549. 

  549.             l += i;
    550. 

  550.             /*
    551. 

  551.              * the last of these zero bytes will be overwritten with the
    552. 

  552.              * padding length.
    553. 

  553.              */
    554. 

  554.             memset(&rec->input[rec->length], 0, i);
    555. 

  555.             rec->length += i;
    556. 

  556.             rec->input[l - 1] = (i - 1);
    557. 

  557.         }
    558. 

  558. 

  559.         if (!send) {
    560. 

  560.             if (l == 0 || l % bs != 0)
    561. 

  561.                 return 0;
    562. 

  562.             /* otherwise, rec->length >= bs */
    563. 

  563.         }
    564. 

  564. 

  565.         if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
    566. 

  566.             return -1;
    567. 

  567. 

  568.         if (EVP_MD_CTX_md(s->read_hash) != NULL)
    569. 

  569.             mac_size = EVP_MD_CTX_size(s->read_hash);
    570. 

  570.         if ((bs != 1) && !send)
    571. 

  571.             return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
    572. 

  572.     }
    573. 

  573.     return 1;
    574. 

  574. }
    575. 

  575. 

  576. int ssl3_init_finished_mac(SSL *s)
    577. 

  577. {
    578. 

  578.     if (s->s3->handshake_buffer)
    579. 

  579.         BIO_free(s->s3->handshake_buffer);
    580. 

  580.     if (s->s3->handshake_dgst)
    581. 

  581.         ssl3_free_digest_list(s);
    582. 

  582.     s->s3->handshake_buffer = BIO_new(BIO_s_mem());
    583. 

  583.     if (s->s3->handshake_buffer == NULL)
    584. 

  584.         return 0;
    585. 

  585.     (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
    586. 

  586.     return 1;
    587. 

  587. }
    588. 

  588. 

  589. void ssl3_free_digest_list(SSL *s)
    590. 

  590. {
    591. 

  591.     int i;
    592. 

  592.     if (!s->s3->handshake_dgst)
    593. 

  593.         return;
    594. 

  594.     for (i = 0; i < SSL_MAX_DIGEST; i++) {
    595. 

  595.         if (s->s3->handshake_dgst[i])
    596. 

  596.             EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
    597. 

  597.     }
    598. 

  598.     OPENSSL_free(s->s3->handshake_dgst);
    599. 

  599.     s->s3->handshake_dgst = NULL;
    600. 

  600. }
    601. 

  601. 

  602. void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
    603. 

  603. {
    604. 

  604.     if (s->s3->handshake_buffer
    605. 

  605.         && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
    606. 

  606.         BIO_write(s->s3->handshake_buffer, (void *)buf, len);
    607. 

  607.     } else {
    608. 

  608.         int i;
    609. 

  609.         for (i = 0; i < SSL_MAX_DIGEST; i++) {
    610. 

  610.             if (s->s3->handshake_dgst[i] != NULL)
    611. 

  611.                 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
    612. 

  612.         }
    613. 

  613.     }
    614. 

  614. }
    615. 

  615. 

  616. int ssl3_digest_cached_records(SSL *s)
    617. 

  617. {
    618. 

  618.     int i;
    619. 

  619.     long mask;
    620. 

  620.     const EVP_MD *md;
    621. 

  621.     long hdatalen;
    622. 

  622.     void *hdata;
    623. 

  623. 

  624.     /* Allocate handshake_dgst array */
    625. 

  625.     ssl3_free_digest_list(s);
    626. 

  626.     s->s3->handshake_dgst =
    627. 

  627.         OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
    628. 

  628.     if (s->s3->handshake_dgst == NULL) {
    629. 

  629.         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
    630. 

  630.         return 0;
    631. 

  631.     }
    632. 

  632.     memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
    633. 

  633.     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    634. 

  634.     if (hdatalen <= 0) {
    635. 

  635.         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
    636. 

  636.         return 0;
    637. 

  637.     }
    638. 

  638. 

  639.     /* Loop through bitso of algorithm2 field and create MD_CTX-es */
    640. 

  640.     for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
    641. 

  641.         if ((mask & ssl_get_algorithm2(s)) && md) {
    642. 

  642.             s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
    643. 

  643.             if (s->s3->handshake_dgst[i] == NULL) {
    644. 

  644.                 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
    645. 

  645.                 return 0;
    646. 

  646.             }
    647. 

  647. #ifdef OPENSSL_FIPS
    648. 

  648.             if (EVP_MD_nid(md) == NID_md5) {
    649. 

  649.                 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
    650. 

  650.                                      EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    651. 

  651.             }
    652. 

  652. #endif
    653. 

  653.             if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
    654. 

  654.                 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
    655. 

  655.                                      hdatalen)) {
    656. 

  656.                 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
    657. 

  657.                 return 0;
    658. 

  658.             }
    659. 

  659.         } else {
    660. 

  660.             s->s3->handshake_dgst[i] = NULL;
    661. 

  661.         }
    662. 

  662.     }
    663. 

  663.     if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
    664. 

  664.         /* Free handshake_buffer BIO */
    665. 

  665.         BIO_free(s->s3->handshake_buffer);
    666. 

  666.         s->s3->handshake_buffer = NULL;
    667. 

  667.     }
    668. 

  668. 

  669.     return 1;
    670. 

  670. }
    671. 

  671. 

  672. int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
    673. 

  673. {
    674. 

  674.     return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
    675. 

  675. }
    676. 

  676. 

  677. int ssl3_final_finish_mac(SSL *s,
    678. 

  678.                           const char *sender, int len, unsigned char *p)
    679. 

  679. {
    680. 

  680.     int ret, sha1len;
    681. 

  681.     ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
    682. 

  682.     if (ret == 0)
    683. 

  683.         return 0;
    684. 

  684. 

  685.     p += ret;
    686. 

  686. 

  687.     sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
    688. 

  688.     if (sha1len == 0)
    689. 

  689.         return 0;
    690. 

  690. 

  691.     ret += sha1len;
    692. 

  692.     return (ret);
    693. 

  693. }
    694. 

  694. 

  695. static int ssl3_handshake_mac(SSL *s, int md_nid,
    696. 

  696.                               const char *sender, int len, unsigned char *p)
    697. 

  697. {
    698. 

  698.     unsigned int ret;
    699. 

  699.     int npad, n;
    700. 

  700.     unsigned int i;
    701. 

  701.     unsigned char md_buf[EVP_MAX_MD_SIZE];
    702. 

  702.     EVP_MD_CTX ctx, *d = NULL;
    703. 

  703. 

  704.     if (s->s3->handshake_buffer)
    705. 

  705.         if (!ssl3_digest_cached_records(s))
    706. 

  706.             return 0;
    707. 

  707. 

  708.     /*
    709. 

  709.      * Search for digest of specified type in the handshake_dgst array
    710. 

  710.      */
    711. 

  711.     for (i = 0; i < SSL_MAX_DIGEST; i++) {
    712. 

  712.         if (s->s3->handshake_dgst[i]
    713. 

  713.             && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
    714. 

  714.             d = s->s3->handshake_dgst[i];
    715. 

  715.             break;
    716. 

  716.         }
    717. 

  717.     }
    718. 

  718.     if (!d) {
    719. 

  719.         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
    720. 

  720.         return 0;
    721. 

  721.     }
    722. 

  722.     EVP_MD_CTX_init(&ctx);
    723. 

  723.     EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    724. 

  724.     EVP_MD_CTX_copy_ex(&ctx, d);
    725. 

  725.     n = EVP_MD_CTX_size(&ctx);
    726. 

  726.     if (n < 0)
    727. 

  727.         return 0;
    728. 

  728. 

  729.     npad = (48 / n) * n;
    730. 

  730.     if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
    731. 

  731.             || EVP_DigestUpdate(&ctx, s->session->master_key,
    732. 

  732.                                 s->session->master_key_length) <= 0
    733. 

  733.             || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
    734. 

  734.             || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
    735. 

  735. 

  736.             || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
    737. 

  737.             || EVP_DigestUpdate(&ctx, s->session->master_key,
    738. 

  738.                                 s->session->master_key_length) <= 0
    739. 

  739.             || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
    740. 

  740.             || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
    741. 

  741.             || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
    742. 

  742.         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
    743. 

  743.         ret = 0;
    744. 

  744.     }
    745. 

  745. 

  746.     EVP_MD_CTX_cleanup(&ctx);
    747. 

  747. 

  748.     return ((int)ret);
    749. 

  749. }
    750. 

  750. 

  751. int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
    752. 

  752. {
    753. 

  753.     SSL3_RECORD *rec;
    754. 

  754.     unsigned char *mac_sec, *seq;
    755. 

  755.     EVP_MD_CTX md_ctx;
    756. 

  756.     const EVP_MD_CTX *hash;
    757. 

  757.     unsigned char *p, rec_char;
    758. 

  758.     size_t md_size, orig_len;
    759. 

  759.     int npad;
    760. 

  760.     int t;
    761. 

  761. 

  762.     if (send) {
    763. 

  763.         rec = &(ssl->s3->wrec);
    764. 

  764.         mac_sec = &(ssl->s3->write_mac_secret[0]);
    765. 

  765.         seq = &(ssl->s3->write_sequence[0]);
    766. 

  766.         hash = ssl->write_hash;
    767. 

  767.     } else {
    768. 

  768.         rec = &(ssl->s3->rrec);
    769. 

  769.         mac_sec = &(ssl->s3->read_mac_secret[0]);
    770. 

  770.         seq = &(ssl->s3->read_sequence[0]);
    771. 

  771.         hash = ssl->read_hash;
    772. 

  772.     }
    773. 

  773. 

  774.     t = EVP_MD_CTX_size(hash);
    775. 

  775.     if (t < 0)
    776. 

  776.         return -1;
    777. 

  777.     md_size = t;
    778. 

  778.     npad = (48 / md_size) * md_size;
    779. 

  779. 

  780.     /*
    781. 

  781.      * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
    782. 

  782.      */
    783. 

  783.     orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
    784. 

  784.     rec->type &= 0xff;
    785. 

  785. 

  786.     if (!send &&
    787. 

  787.         EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
    788. 

  788.         ssl3_cbc_record_digest_supported(hash)) {
    789. 

  789.         /*
    790. 

  790.          * This is a CBC-encrypted record. We must avoid leaking any
    791. 

  791.          * timing-side channel information about how many blocks of data we
    792. 

  792.          * are hashing because that gives an attacker a timing-oracle.
    793. 

  793.          */
    794. 

  794. 

  795.         /*-
    796. 

  796.          * npad is, at most, 48 bytes and that's with MD5:
    797. 

  797.          *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
    798. 

  798.          *
    799. 

  799.          * With SHA-1 (the largest hash speced for SSLv3) the hash size
    800. 

  800.          * goes up 4, but npad goes down by 8, resulting in a smaller
    801. 

  801.          * total size.
    802. 

  802.          */
    803. 

  803.         unsigned char header[75];
    804. 

  804.         unsigned j = 0;
    805. 

  805.         memcpy(header + j, mac_sec, md_size);
    806. 

  806.         j += md_size;
    807. 

  807.         memcpy(header + j, ssl3_pad_1, npad);
    808. 

  808.         j += npad;
    809. 

  809.         memcpy(header + j, seq, 8);
    810. 

  810.         j += 8;
    811. 

  811.         header[j++] = rec->type;
    812. 

  812.         header[j++] = rec->length >> 8;
    813. 

  813.         header[j++] = rec->length & 0xff;
    814. 

  814. 

  815.         /* Final param == is SSLv3 */
    816. 

  816.         if (ssl3_cbc_digest_record(hash,
    817. 

  817.                                    md, &md_size,
    818. 

  818.                                    header, rec->input,
    819. 

  819.                                    rec->length + md_size, orig_len,
    820. 

  820.                                    mac_sec, md_size, 1) <= 0)
    821. 

  821.             return -1;
    822. 

  822.     } else {
    823. 

  823.         unsigned int md_size_u;
    824. 

  824.         /* Chop the digest off the end :-) */
    825. 

  825.         EVP_MD_CTX_init(&md_ctx);
    826. 

  826. 

  827.         rec_char = rec->type;
    828. 

  828.         p = md;
    829. 

  829.         s2n(rec->length, p);
    830. 

  830.         if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
    831. 

  831.                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
    832. 

  832.                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
    833. 

  833.                 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
    834. 

  834.                 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
    835. 

  835.                 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
    836. 

  836.                 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
    837. 

  837.                 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
    838. 

  838.                 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
    839. 

  839.                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
    840. 

  840.                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
    841. 

  841.                 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
    842. 

  842.                 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
    843. 

  843.             EVP_MD_CTX_cleanup(&md_ctx);
    844. 

  844.             return -1;
    845. 

  845.         }
    846. 

  846.         md_size = md_size_u;
    847. 

  847. 

  848.         EVP_MD_CTX_cleanup(&md_ctx);
    849. 

  849.     }
    850. 

  850. 

  851.     ssl3_record_sequence_update(seq);
    852. 

  852.     return (md_size);
    853. 

  853. }
    854. 

  854. 

  855. void ssl3_record_sequence_update(unsigned char *seq)
    856. 

  856. {
    857. 

  857.     int i;
    858. 

  858. 

  859.     for (i = 7; i >= 0; i--) {
    860. 

  860.         ++seq[i];
    861. 

  861.         if (seq[i] != 0)
    862. 

  862.             break;
    863. 

  863.     }
    864. 

  864. }
    865. 

  865. 

  866. int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
    867. 

  867.                                 int len)
    868. 

  868. {
    869. 

  869.     static const unsigned char *salt[3] = {
    870. 

  870. #ifndef CHARSET_EBCDIC
    871. 

  871.         (const unsigned char *)"A",
    872. 

  872.         (const unsigned char *)"BB",
    873. 

  873.         (const unsigned char *)"CCC",
    874. 

  874. #else
    875. 

  875.         (const unsigned char *)"\x41",
    876. 

  876.         (const unsigned char *)"\x42\x42",
    877. 

  877.         (const unsigned char *)"\x43\x43\x43",
    878. 

  878. #endif
    879. 

  879.     };
    880. 

  880.     unsigned char buf[EVP_MAX_MD_SIZE];
    881. 

  881.     EVP_MD_CTX ctx;
    882. 

  882.     int i, ret = 0;
    883. 

  883.     unsigned int n;
    884. 

  884. #ifdef OPENSSL_SSL_TRACE_CRYPTO
    885. 

  885.     unsigned char *tmpout = out;
    886. 

  886. #endif
    887. 

  887. 

  888.     EVP_MD_CTX_init(&ctx);
    889. 

  889.     for (i = 0; i < 3; i++) {
    890. 

  890.         if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
    891. 

  891.                 || EVP_DigestUpdate(&ctx, salt[i],
    892. 

  892.                                     strlen((const char *)salt[i])) <= 0
    893. 

  893.                 || EVP_DigestUpdate(&ctx, p, len) <= 0
    894. 

  894.                 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
    895. 

  895.                                     SSL3_RANDOM_SIZE) <= 0
    896. 

  896.                 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
    897. 

  897.                                     SSL3_RANDOM_SIZE) <= 0
    898. 

  898.                 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
    899. 

  899. 

  900.                 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
    901. 

  901.                 || EVP_DigestUpdate(&ctx, p, len) <= 0
    902. 

  902.                 || EVP_DigestUpdate(&ctx, buf, n) <= 0
    903. 

  903.                 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
    904. 

  904.             SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
    905. 

  905.             ret = 0;
    906. 

  906.             break;
    907. 

  907.         }
    908. 

  908.         out += n;
    909. 

  909.         ret += n;
    910. 

  910.     }
    911. 

  911.     EVP_MD_CTX_cleanup(&ctx);
    912. 

  912. 

  913. #ifdef OPENSSL_SSL_TRACE_CRYPTO
    914. 

  914.     if (ret > 0 && s->msg_callback) {
    915. 

  915.         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
    916. 

  916.                         p, len, s, s->msg_callback_arg);
    917. 

  917.         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
    918. 

  918.                         s->s3->client_random, SSL3_RANDOM_SIZE,
    919. 

  919.                         s, s->msg_callback_arg);
    920. 

  920.         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
    921. 

  921.                         s->s3->server_random, SSL3_RANDOM_SIZE,
    922. 

  922.                         s, s->msg_callback_arg);
    923. 

  923.         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
    924. 

  924.                         tmpout, SSL3_MASTER_SECRET_SIZE,
    925. 

  925.                         s, s->msg_callback_arg);
    926. 

  926.     }
    927. 

  927. #endif
    928. 

  928.     OPENSSL_cleanse(buf, sizeof(buf));
    929. 

  929.     return (ret);
    930. 

  930. }
    931. 

  931. 

  932. int ssl3_alert_code(int code)
    933. 

  933. {
    934. 

  934.     switch (code) {
    935. 

  935.     case SSL_AD_CLOSE_NOTIFY:
    936. 

  936.         return (SSL3_AD_CLOSE_NOTIFY);
    937. 

  937.     case SSL_AD_UNEXPECTED_MESSAGE:
    938. 

  938.         return (SSL3_AD_UNEXPECTED_MESSAGE);
    939. 

  939.     case SSL_AD_BAD_RECORD_MAC:
    940. 

  940.         return (SSL3_AD_BAD_RECORD_MAC);
    941. 

  941.     case SSL_AD_DECRYPTION_FAILED:
    942. 

  942.         return (SSL3_AD_BAD_RECORD_MAC);
    943. 

  943.     case SSL_AD_RECORD_OVERFLOW:
    944. 

  944.         return (SSL3_AD_BAD_RECORD_MAC);
    945. 

  945.     case SSL_AD_DECOMPRESSION_FAILURE:
    946. 

  946.         return (SSL3_AD_DECOMPRESSION_FAILURE);
    947. 

  947.     case SSL_AD_HANDSHAKE_FAILURE:
    948. 

  948.         return (SSL3_AD_HANDSHAKE_FAILURE);
    949. 

  949.     case SSL_AD_NO_CERTIFICATE:
    950. 

  950.         return (SSL3_AD_NO_CERTIFICATE);
    951. 

  951.     case SSL_AD_BAD_CERTIFICATE:
    952. 

  952.         return (SSL3_AD_BAD_CERTIFICATE);
    953. 

  953.     case SSL_AD_UNSUPPORTED_CERTIFICATE:
    954. 

  954.         return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
    955. 

  955.     case SSL_AD_CERTIFICATE_REVOKED:
    956. 

  956.         return (SSL3_AD_CERTIFICATE_REVOKED);
    957. 

  957.     case SSL_AD_CERTIFICATE_EXPIRED:
    958. 

  958.         return (SSL3_AD_CERTIFICATE_EXPIRED);
    959. 

  959.     case SSL_AD_CERTIFICATE_UNKNOWN:
    960. 

  960.         return (SSL3_AD_CERTIFICATE_UNKNOWN);
    961. 

  961.     case SSL_AD_ILLEGAL_PARAMETER:
    962. 

  962.         return (SSL3_AD_ILLEGAL_PARAMETER);
    963. 

  963.     case SSL_AD_UNKNOWN_CA:
    964. 

  964.         return (SSL3_AD_BAD_CERTIFICATE);
    965. 

  965.     case SSL_AD_ACCESS_DENIED:
    966. 

  966.         return (SSL3_AD_HANDSHAKE_FAILURE);
    967. 

  967.     case SSL_AD_DECODE_ERROR:
    968. 

  968.         return (SSL3_AD_HANDSHAKE_FAILURE);
    969. 

  969.     case SSL_AD_DECRYPT_ERROR:
    970. 

  970.         return (SSL3_AD_HANDSHAKE_FAILURE);
    971. 

  971.     case SSL_AD_EXPORT_RESTRICTION:
    972. 

  972.         return (SSL3_AD_HANDSHAKE_FAILURE);
    973. 

  973.     case SSL_AD_PROTOCOL_VERSION:
    974. 

  974.         return (SSL3_AD_HANDSHAKE_FAILURE);
    975. 

  975.     case SSL_AD_INSUFFICIENT_SECURITY:
    976. 

  976.         return (SSL3_AD_HANDSHAKE_FAILURE);
    977. 

  977.     case SSL_AD_INTERNAL_ERROR:
    978. 

  978.         return (SSL3_AD_HANDSHAKE_FAILURE);
    979. 

  979.     case SSL_AD_USER_CANCELLED:
    980. 

  980.         return (SSL3_AD_HANDSHAKE_FAILURE);
    981. 

  981.     case SSL_AD_NO_RENEGOTIATION:
    982. 

  982.         return (-1);            /* Don't send it :-) */
    983. 

  983.     case SSL_AD_UNSUPPORTED_EXTENSION:
    984. 

  984.         return (SSL3_AD_HANDSHAKE_FAILURE);
    985. 

  985.     case SSL_AD_CERTIFICATE_UNOBTAINABLE:
    986. 

  986.         return (SSL3_AD_HANDSHAKE_FAILURE);
    987. 

  987.     case SSL_AD_UNRECOGNIZED_NAME:
    988. 

  988.         return (SSL3_AD_HANDSHAKE_FAILURE);
    989. 

  989.     case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
    990. 

  990.         return (SSL3_AD_HANDSHAKE_FAILURE);
    991. 

  991.     case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
    992. 

  992.         return (SSL3_AD_HANDSHAKE_FAILURE);
    993. 

  993.     case SSL_AD_UNKNOWN_PSK_IDENTITY:
    994. 

  994.         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
    995. 

  995.     case SSL_AD_INAPPROPRIATE_FALLBACK:
    996. 

  996.         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
    997. 

  997.     default:
    998. 

  998.         return (-1);
    999. 

  999.     }
    1000. 

  1000. }
    1001.