search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenSSL: update to 1.0.1m
[tomato.git] / release / src / router / openssl / ssl / s3_enc.c
blob152f40db582b8b813136cab7c00375148a2194d2
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165 EVP_MD_CTX m5;
166 EVP_MD_CTX s1;
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
170
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
173 #endif
174 k = 0;
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 k++;
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183 return 0;
184 }
185
186 for (j = 0; j < k; j++)
187 buf[j] = c;
188 c++;
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
196
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
204 } else
205 EVP_DigestFinal_ex(&m5, km, NULL);
206
207 km += MD5_DIGEST_LENGTH;
208 }
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
212 return 1;
213 }
214
215 int ssl3_change_cipher_state(SSL *s, int which)
216 {
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
221 EVP_CIPHER_CTX *dd;
222 const EVP_CIPHER *c;
223 #ifndef OPENSSL_NO_COMP
224 COMP_METHOD *comp;
225 #endif
226 const EVP_MD *m;
227 EVP_MD_CTX md;
228 int is_exp, n, i, j, k, cl;
229 int reuse_dd = 0;
230
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
235 OPENSSL_assert(m);
236 #ifndef OPENSSL_NO_COMP
237 if (s->s3->tmp.new_compression == NULL)
238 comp = NULL;
239 else
240 comp = s->s3->tmp.new_compression->method;
241 #endif
242
243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
245 reuse_dd = 1;
246 else if ((s->enc_read_ctx =
247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248 goto err;
249 else
250 /*
251 * make sure it's intialized in case we exit later with an error
252 */
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
255
256 ssl_replace_hash(&s->read_hash, m);
257 #ifndef OPENSSL_NO_COMP
258 /* COMPRESS */
259 if (s->expand != NULL) {
260 COMP_CTX_free(s->expand);
261 s->expand = NULL;
262 }
263 if (comp != NULL) {
264 s->expand = COMP_CTX_new(comp);
265 if (s->expand == NULL) {
266 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
267 SSL_R_COMPRESSION_LIBRARY_ERROR);
268 goto err2;
269 }
270 if (s->s3->rrec.comp == NULL)
271 s->s3->rrec.comp = (unsigned char *)
272 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
273 if (s->s3->rrec.comp == NULL)
274 goto err;
275 }
276 #endif
277 memset(&(s->s3->read_sequence[0]), 0, 8);
278 mac_secret = &(s->s3->read_mac_secret[0]);
279 } else {
280 if (s->enc_write_ctx != NULL)
281 reuse_dd = 1;
282 else if ((s->enc_write_ctx =
283 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
284 goto err;
285 else
286 /*
287 * make sure it's intialized in case we exit later with an error
288 */
289 EVP_CIPHER_CTX_init(s->enc_write_ctx);
290 dd = s->enc_write_ctx;
291 ssl_replace_hash(&s->write_hash, m);
292 #ifndef OPENSSL_NO_COMP
293 /* COMPRESS */
294 if (s->compress != NULL) {
295 COMP_CTX_free(s->compress);
296 s->compress = NULL;
297 }
298 if (comp != NULL) {
299 s->compress = COMP_CTX_new(comp);
300 if (s->compress == NULL) {
301 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
302 SSL_R_COMPRESSION_LIBRARY_ERROR);
303 goto err2;
304 }
305 }
306 #endif
307 memset(&(s->s3->write_sequence[0]), 0, 8);
308 mac_secret = &(s->s3->write_mac_secret[0]);
309 }
310
311 if (reuse_dd)
312 EVP_CIPHER_CTX_cleanup(dd);
313
314 p = s->s3->tmp.key_block;
315 i = EVP_MD_size(m);
316 if (i < 0)
317 goto err2;
318 cl = EVP_CIPHER_key_length(c);
319 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
320 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
321 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
322 k = EVP_CIPHER_iv_length(c);
323 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
324 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
325 ms = &(p[0]);
326 n = i + i;
327 key = &(p[n]);
328 n += j + j;
329 iv = &(p[n]);
330 n += k + k;
331 er1 = &(s->s3->client_random[0]);
332 er2 = &(s->s3->server_random[0]);
333 } else {
334 n = i;
335 ms = &(p[n]);
336 n += i + j;
337 key = &(p[n]);
338 n += j + k;
339 iv = &(p[n]);
340 n += k;
341 er1 = &(s->s3->server_random[0]);
342 er2 = &(s->s3->client_random[0]);
343 }
344
345 if (n > s->s3->tmp.key_block_length) {
346 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
347 goto err2;
348 }
349
350 EVP_MD_CTX_init(&md);
351 memcpy(mac_secret, ms, i);
352 if (is_exp) {
353 /*
354 * In here I set both the read and write key/iv to the same value
355 * since only the correct one will be used :-).
356 */
357 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
358 EVP_DigestUpdate(&md, key, j);
359 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
360 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
361 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
362 key = &(exp_key[0]);
363
364 if (k > 0) {
365 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
366 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
367 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
368 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
369 iv = &(exp_iv[0]);
370 }
371 }
372
373 s->session->key_arg_length = 0;
374
375 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
376
377 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
378 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
379 EVP_MD_CTX_cleanup(&md);
380 return (1);
381 err:
382 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
383 err2:
384 return (0);
385 }
386
387 int ssl3_setup_key_block(SSL *s)
388 {
389 unsigned char *p;
390 const EVP_CIPHER *c;
391 const EVP_MD *hash;
392 int num;
393 int ret = 0;
394 SSL_COMP *comp;
395
396 if (s->s3->tmp.key_block_length != 0)
397 return (1);
398
399 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
400 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
401 return (0);
402 }
403
404 s->s3->tmp.new_sym_enc = c;
405 s->s3->tmp.new_hash = hash;
406 #ifdef OPENSSL_NO_COMP
407 s->s3->tmp.new_compression = NULL;
408 #else
409 s->s3->tmp.new_compression = comp;
410 #endif
411
412 num = EVP_MD_size(hash);
413 if (num < 0)
414 return 0;
415
416 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
417 num *= 2;
418
419 ssl3_cleanup_key_block(s);
420
421 if ((p = OPENSSL_malloc(num)) == NULL)
422 goto err;
423
424 s->s3->tmp.key_block_length = num;
425 s->s3->tmp.key_block = p;
426
427 ret = ssl3_generate_key_block(s, p, num);
428
429 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
430 /*
431 * enable vulnerability countermeasure for CBC ciphers with known-IV
432 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
433 */
434 s->s3->need_empty_fragments = 1;
435
436 if (s->session->cipher != NULL) {
437 if (s->session->cipher->algorithm_enc == SSL_eNULL)
438 s->s3->need_empty_fragments = 0;
439
440 #ifndef OPENSSL_NO_RC4
441 if (s->session->cipher->algorithm_enc == SSL_RC4)
442 s->s3->need_empty_fragments = 0;
443 #endif
444 }
445 }
446
447 return ret;
448
449 err:
450 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
451 return (0);
452 }
453
454 void ssl3_cleanup_key_block(SSL *s)
455 {
456 if (s->s3->tmp.key_block != NULL) {
457 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
458 OPENSSL_free(s->s3->tmp.key_block);
459 s->s3->tmp.key_block = NULL;
460 }
461 s->s3->tmp.key_block_length = 0;
462 }
463
464 /*-
465 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
466 *
467 * Returns:
468 * 0: (in non-constant time) if the record is publically invalid (i.e. too
469 * short etc).
470 * 1: if the record's padding is valid / the encryption was successful.
471 * -1: if the record's padding is invalid or, if sending, an internal error
472 * occured.
473 */
474 int ssl3_enc(SSL *s, int send)
475 {
476 SSL3_RECORD *rec;
477 EVP_CIPHER_CTX *ds;
478 unsigned long l;
479 int bs, i, mac_size = 0;
480 const EVP_CIPHER *enc;
481
482 if (send) {
483 ds = s->enc_write_ctx;
484 rec = &(s->s3->wrec);
485 if (s->enc_write_ctx == NULL)
486 enc = NULL;
487 else
488 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
489 } else {
490 ds = s->enc_read_ctx;
491 rec = &(s->s3->rrec);
492 if (s->enc_read_ctx == NULL)
493 enc = NULL;
494 else
495 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
496 }
497
498 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
499 memmove(rec->data, rec->input, rec->length);
500 rec->input = rec->data;
501 } else {
502 l = rec->length;
503 bs = EVP_CIPHER_block_size(ds->cipher);
504
505 /* COMPRESS */
506
507 if ((bs != 1) && send) {
508 i = bs - ((int)l % bs);
509
510 /* we need to add 'i-1' padding bytes */
511 l += i;
512 /*
513 * the last of these zero bytes will be overwritten with the
514 * padding length.
515 */
516 memset(&rec->input[rec->length], 0, i);
517 rec->length += i;
518 rec->input[l - 1] = (i - 1);
519 }
520
521 if (!send) {
522 if (l == 0 || l % bs != 0)
523 return 0;
524 /* otherwise, rec->length >= bs */
525 }
526
527 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
528 return -1;
529
530 if (EVP_MD_CTX_md(s->read_hash) != NULL)
531 mac_size = EVP_MD_CTX_size(s->read_hash);
532 if ((bs != 1) && !send)
533 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
534 }
535 return (1);
536 }
537
538 void ssl3_init_finished_mac(SSL *s)
539 {
540 if (s->s3->handshake_buffer)
541 BIO_free(s->s3->handshake_buffer);
542 if (s->s3->handshake_dgst)
543 ssl3_free_digest_list(s);
544 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
545 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
546 }
547
548 void ssl3_free_digest_list(SSL *s)
549 {
550 int i;
551 if (!s->s3->handshake_dgst)
552 return;
553 for (i = 0; i < SSL_MAX_DIGEST; i++) {
554 if (s->s3->handshake_dgst[i])
555 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
556 }
557 OPENSSL_free(s->s3->handshake_dgst);
558 s->s3->handshake_dgst = NULL;
559 }
560
561 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
562 {
563 if (s->s3->handshake_buffer
564 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
565 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
566 } else {
567 int i;
568 for (i = 0; i < SSL_MAX_DIGEST; i++) {
569 if (s->s3->handshake_dgst[i] != NULL)
570 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
571 }
572 }
573 }
574
575 int ssl3_digest_cached_records(SSL *s)
576 {
577 int i;
578 long mask;
579 const EVP_MD *md;
580 long hdatalen;
581 void *hdata;
582
583 /* Allocate handshake_dgst array */
584 ssl3_free_digest_list(s);
585 s->s3->handshake_dgst =
586 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
587 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
588 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
589 if (hdatalen <= 0) {
590 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
591 return 0;
592 }
593
594 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
595 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
596 if ((mask & ssl_get_algorithm2(s)) && md) {
597 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
598 #ifdef OPENSSL_FIPS
599 if (EVP_MD_nid(md) == NID_md5) {
600 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
601 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
602 }
603 #endif
604 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
605 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
606 } else {
607 s->s3->handshake_dgst[i] = NULL;
608 }
609 }
610 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
611 /* Free handshake_buffer BIO */
612 BIO_free(s->s3->handshake_buffer);
613 s->s3->handshake_buffer = NULL;
614 }
615
616 return 1;
617 }
618
619 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
620 {
621 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
622 }
623
624 int ssl3_final_finish_mac(SSL *s,
625 const char *sender, int len, unsigned char *p)
626 {
627 int ret, sha1len;
628 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
629 if (ret == 0)
630 return 0;
631
632 p += ret;
633
634 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
635 if (sha1len == 0)
636 return 0;
637
638 ret += sha1len;
639 return (ret);
640 }
641
642 static int ssl3_handshake_mac(SSL *s, int md_nid,
643 const char *sender, int len, unsigned char *p)
644 {
645 unsigned int ret;
646 int npad, n;
647 unsigned int i;
648 unsigned char md_buf[EVP_MAX_MD_SIZE];
649 EVP_MD_CTX ctx, *d = NULL;
650
651 if (s->s3->handshake_buffer)
652 if (!ssl3_digest_cached_records(s))
653 return 0;
654
655 /*
656 * Search for digest of specified type in the handshake_dgst array
657 */
658 for (i = 0; i < SSL_MAX_DIGEST; i++) {
659 if (s->s3->handshake_dgst[i]
660 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
661 d = s->s3->handshake_dgst[i];
662 break;
663 }
664 }
665 if (!d) {
666 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
667 return 0;
668 }
669 EVP_MD_CTX_init(&ctx);
670 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
671 EVP_MD_CTX_copy_ex(&ctx, d);
672 n = EVP_MD_CTX_size(&ctx);
673 if (n < 0)
674 return 0;
675
676 npad = (48 / n) * n;
677 if (sender != NULL)
678 EVP_DigestUpdate(&ctx, sender, len);
679 EVP_DigestUpdate(&ctx, s->session->master_key,
680 s->session->master_key_length);
681 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
682 EVP_DigestFinal_ex(&ctx, md_buf, &i);
683
684 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
685 EVP_DigestUpdate(&ctx, s->session->master_key,
686 s->session->master_key_length);
687 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
688 EVP_DigestUpdate(&ctx, md_buf, i);
689 EVP_DigestFinal_ex(&ctx, p, &ret);
690
691 EVP_MD_CTX_cleanup(&ctx);
692
693 return ((int)ret);
694 }
695
696 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
697 {
698 SSL3_RECORD *rec;
699 unsigned char *mac_sec, *seq;
700 EVP_MD_CTX md_ctx;
701 const EVP_MD_CTX *hash;
702 unsigned char *p, rec_char;
703 size_t md_size, orig_len;
704 int npad;
705 int t;
706
707 if (send) {
708 rec = &(ssl->s3->wrec);
709 mac_sec = &(ssl->s3->write_mac_secret[0]);
710 seq = &(ssl->s3->write_sequence[0]);
711 hash = ssl->write_hash;
712 } else {
713 rec = &(ssl->s3->rrec);
714 mac_sec = &(ssl->s3->read_mac_secret[0]);
715 seq = &(ssl->s3->read_sequence[0]);
716 hash = ssl->read_hash;
717 }
718
719 t = EVP_MD_CTX_size(hash);
720 if (t < 0)
721 return -1;
722 md_size = t;
723 npad = (48 / md_size) * md_size;
724
725 /*
726 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
727 */
728 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
729 rec->type &= 0xff;
730
731 if (!send &&
732 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
733 ssl3_cbc_record_digest_supported(hash)) {
734 /*
735 * This is a CBC-encrypted record. We must avoid leaking any
736 * timing-side channel information about how many blocks of data we
737 * are hashing because that gives an attacker a timing-oracle.
738 */
739
740 /*-
741 * npad is, at most, 48 bytes and that's with MD5:
742 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
743 *
744 * With SHA-1 (the largest hash speced for SSLv3) the hash size
745 * goes up 4, but npad goes down by 8, resulting in a smaller
746 * total size.
747 */
748 unsigned char header[75];
749 unsigned j = 0;
750 memcpy(header + j, mac_sec, md_size);
751 j += md_size;
752 memcpy(header + j, ssl3_pad_1, npad);
753 j += npad;
754 memcpy(header + j, seq, 8);
755 j += 8;
756 header[j++] = rec->type;
757 header[j++] = rec->length >> 8;
758 header[j++] = rec->length & 0xff;
759
760 /* Final param == is SSLv3 */
761 ssl3_cbc_digest_record(hash,
762 md, &md_size,
763 header, rec->input,
764 rec->length + md_size, orig_len,
765 mac_sec, md_size, 1);
766 } else {
767 unsigned int md_size_u;
768 /* Chop the digest off the end :-) */
769 EVP_MD_CTX_init(&md_ctx);
770
771 EVP_MD_CTX_copy_ex(&md_ctx, hash);
772 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
773 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
774 EVP_DigestUpdate(&md_ctx, seq, 8);
775 rec_char = rec->type;
776 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
777 p = md;
778 s2n(rec->length, p);
779 EVP_DigestUpdate(&md_ctx, md, 2);
780 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
781 EVP_DigestFinal_ex(&md_ctx, md, NULL);
782
783 EVP_MD_CTX_copy_ex(&md_ctx, hash);
784 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
785 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
786 EVP_DigestUpdate(&md_ctx, md, md_size);
787 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
788 md_size = md_size_u;
789
790 EVP_MD_CTX_cleanup(&md_ctx);
791 }
792
793 ssl3_record_sequence_update(seq);
794 return (md_size);
795 }
796
797 void ssl3_record_sequence_update(unsigned char *seq)
798 {
799 int i;
800
801 for (i = 7; i >= 0; i--) {
802 ++seq[i];
803 if (seq[i] != 0)
804 break;
805 }
806 }
807
808 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
809 int len)
810 {
811 static const unsigned char *salt[3] = {
812 #ifndef CHARSET_EBCDIC
813 (const unsigned char *)"A",
814 (const unsigned char *)"BB",
815 (const unsigned char *)"CCC",
816 #else
817 (const unsigned char *)"\x41",
818 (const unsigned char *)"\x42\x42",
819 (const unsigned char *)"\x43\x43\x43",
820 #endif
821 };
822 unsigned char buf[EVP_MAX_MD_SIZE];
823 EVP_MD_CTX ctx;
824 int i, ret = 0;
825 unsigned int n;
826
827 EVP_MD_CTX_init(&ctx);
828 for (i = 0; i < 3; i++) {
829 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
830 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
831 EVP_DigestUpdate(&ctx, p, len);
832 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
833 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
834 EVP_DigestFinal_ex(&ctx, buf, &n);
835
836 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
837 EVP_DigestUpdate(&ctx, p, len);
838 EVP_DigestUpdate(&ctx, buf, n);
839 EVP_DigestFinal_ex(&ctx, out, &n);
840 out += n;
841 ret += n;
842 }
843 EVP_MD_CTX_cleanup(&ctx);
844 OPENSSL_cleanse(buf, sizeof buf);
845 return (ret);
846 }
847
848 int ssl3_alert_code(int code)
849 {
850 switch (code) {
851 case SSL_AD_CLOSE_NOTIFY:
852 return (SSL3_AD_CLOSE_NOTIFY);
853 case SSL_AD_UNEXPECTED_MESSAGE:
854 return (SSL3_AD_UNEXPECTED_MESSAGE);
855 case SSL_AD_BAD_RECORD_MAC:
856 return (SSL3_AD_BAD_RECORD_MAC);
857 case SSL_AD_DECRYPTION_FAILED:
858 return (SSL3_AD_BAD_RECORD_MAC);
859 case SSL_AD_RECORD_OVERFLOW:
860 return (SSL3_AD_BAD_RECORD_MAC);
861 case SSL_AD_DECOMPRESSION_FAILURE:
862 return (SSL3_AD_DECOMPRESSION_FAILURE);
863 case SSL_AD_HANDSHAKE_FAILURE:
864 return (SSL3_AD_HANDSHAKE_FAILURE);
865 case SSL_AD_NO_CERTIFICATE:
866 return (SSL3_AD_NO_CERTIFICATE);
867 case SSL_AD_BAD_CERTIFICATE:
868 return (SSL3_AD_BAD_CERTIFICATE);
869 case SSL_AD_UNSUPPORTED_CERTIFICATE:
870 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
871 case SSL_AD_CERTIFICATE_REVOKED:
872 return (SSL3_AD_CERTIFICATE_REVOKED);
873 case SSL_AD_CERTIFICATE_EXPIRED:
874 return (SSL3_AD_CERTIFICATE_EXPIRED);
875 case SSL_AD_CERTIFICATE_UNKNOWN:
876 return (SSL3_AD_CERTIFICATE_UNKNOWN);
877 case SSL_AD_ILLEGAL_PARAMETER:
878 return (SSL3_AD_ILLEGAL_PARAMETER);
879 case SSL_AD_UNKNOWN_CA:
880 return (SSL3_AD_BAD_CERTIFICATE);
881 case SSL_AD_ACCESS_DENIED:
882 return (SSL3_AD_HANDSHAKE_FAILURE);
883 case SSL_AD_DECODE_ERROR:
884 return (SSL3_AD_HANDSHAKE_FAILURE);
885 case SSL_AD_DECRYPT_ERROR:
886 return (SSL3_AD_HANDSHAKE_FAILURE);
887 case SSL_AD_EXPORT_RESTRICTION:
888 return (SSL3_AD_HANDSHAKE_FAILURE);
889 case SSL_AD_PROTOCOL_VERSION:
890 return (SSL3_AD_HANDSHAKE_FAILURE);
891 case SSL_AD_INSUFFICIENT_SECURITY:
892 return (SSL3_AD_HANDSHAKE_FAILURE);
893 case SSL_AD_INTERNAL_ERROR:
894 return (SSL3_AD_HANDSHAKE_FAILURE);
895 case SSL_AD_USER_CANCELLED:
896 return (SSL3_AD_HANDSHAKE_FAILURE);
897 case SSL_AD_NO_RENEGOTIATION:
898 return (-1); /* Don't send it :-) */
899 case SSL_AD_UNSUPPORTED_EXTENSION:
900 return (SSL3_AD_HANDSHAKE_FAILURE);
901 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
902 return (SSL3_AD_HANDSHAKE_FAILURE);
903 case SSL_AD_UNRECOGNIZED_NAME:
904 return (SSL3_AD_HANDSHAKE_FAILURE);
905 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
906 return (SSL3_AD_HANDSHAKE_FAILURE);
907 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
908 return (SSL3_AD_HANDSHAKE_FAILURE);
909 case SSL_AD_UNKNOWN_PSK_IDENTITY:
910 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
911 case SSL_AD_INAPPROPRIATE_FALLBACK:
912 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
913 default:
914 return (-1);
915 }
916 }
Tomato firmware and modifications.